Policy paper

Cyber Security Regulation and Incentives Review

This review considered whether there is a need for additional regulation or incentives to boost cyber risk management in the wider economy.



During 2016, as part of the Government’s £1.9 billion strategy to protect the UK in cyber space, DCMS conducted a review to consider whether there is a need for additional regulation or incentives to boost cyber risk management across the wider economy. The review was conducted in close consultation with a wide range of businesses, industry partners and stakeholders, and gathered evidence from a broad range of sources.

The Review is published here and makes a number of conclusions and recommendations, including:

  • There is a strong justification for regulation to secure personal data, as there is a clear public interest in protecting citizens from crime and other harm.
  • Government will therefore seek to improve cyber risk management in the wider economy through its implementation of the forthcoming General Data Protection Regulation (GDPR). The breach reporting requirements and fines that can be issued under GDPR will represent a significant call to action for industry.
  • This will be supplemented by measures to more clearly link data protection with cyber security, including through closer working between the Information Commissioner’s Office and the new National Cyber Security Centre.
  • Further new measures include working with the investment community to produce cyber security guidance, and working with regulators via a new Regulators’ Forum which will share good practice and threat information.
  • For now, Government will not seek to pursue further general cyber security regulation for the wider economy over and above the GDPR.

Also published here is some underpinning research which informed the review, ‘Cyber Security: testing mechanisms for change’.

Published 21 December 2016